software vulnerabilities - iswat · software vulnerabilities software is designed (should) to meet...
TRANSCRIPT
Software Vulnerabilities
Software is designed (should) to meet requirements
A software bug is un unmet specification, a failure in meet the requirements.
If a bug is related to a security requirement, it is a Software Vulnerability
Vulnerability is a subset of bug
A Vulnerability is a bug the has a reflect on constraints of CIA (Confidentiality, Integrity,
Availability)
Weakness or gap
Exploit is a set of instructions for abusing a sw vulnerability in order to cause
unintended or unanticipated behavior.
There are no perfect softwares
There are only things that are secure “enough”..
VA&PT
A Vulnerability Assessment is the way to find as many flaws as possible and
make a prioritized list of remediation items.
• List Oriented
• Don’t differentiate between flaws that can be exploited to cause damage
and those that cannot.
A Penetration Test is an intrusive test, simulating real threat scenario and it is
designed to evaluate also the defense measures in place.
• Goal oriented
• A penetration test is meant to show how damaging a flaw could be in a
real attack rather than find every flaw in a system
Often combined to achieve more cohmprensive security analysis
VA&PT
• Vulnerability Assessment: Find every flaws in a system
• Vulnerability Assessment is not Risk Assessment!
• Penetration Test: Evaluate how damaging a flaw could be in real attack.
• VAPT provides a detailed view of the threats facing its applications,
enabling the business to better protect its systems and data from
malicious attacks
OWASP TOP 10
he list consists of the top biggest Application Security Risks according to OWASP.
va, wapt, npt, eh...
• a vulnerability assessment is the process of identifying and quantifying security
vulnerabilities in an environment.
• An in-depth evaluation of your information security posture
• Vulnerability Assessments Follow These General Steps:
1. Catalog assets and resources in a system
2. Assign quantifiable value and importance to the resources
3. Identify the security vulnerabilities or potential threats to each resource
4. Mitigate or eliminate the most serious vulnerabilities for the most valuable
resources
NESSUS Demo
Acunetix Web VS Demo
PT Phases
• Penetration Test Follow These General Steps:
1. Pre-engagement activities (RoE, Scoping, Schedule, Formal
permission)
2. Reconnaissance and Info Gathering
3. Enumeration,scanning
4. Automated and Manual Testing, gaining access, exploitation
5. Reporting
6. Remediation Support
Malicious Attackers go further:
• Mantaining access with backdoord
• Covering tracks
Types of Penetration Test
• Network service test
• Client-side test
• Web App Pen Test
• Wireless Pen Test
• Social Engineering Test
• Physical Security Test
• Cryptanalysis Attack
Determine the scope
• Network (PenTest, VA, wireless)
• Application (code or vuln scan)
• Process
• How critical is the system you assessing?
• High,medium – use external assessor
• Low self-assessment
• What are the concerns?
• Disclosure of sensitive information
• Interruption of production processing
• Compromising of a particular machine..
Testing Methodologies
• Open Source Security Testing Methodology (OSSTMM)
• Pen Testing Execution Standard (PTES)
• NIST Special Pubblication 800-15: Technical Guide to Information Security
Assessment and testing
• Open Web Application Security Project (OWASP)
• Penetration Testing Framework
OSSTMM
OSSTMM is a scientific methodology developed by many volunteers worldwidethrough the peer model review.• Written by Pete Herzog and distributed by ISECOM• Includes numeros information gathering templates• Covers scoping,metrics,human security,data network security testing….• This document strives:• Repeatability• Consistency• High quality
OSSTMM
BLIND: quando l’attaccante non conosce minimamente il sistema da analizzare. E’ conosciutosolamente il target (Indirizzi IP o URL) .DOUBLE BLIND: simile a quello precedente con la differenza che alcune persone delcommittente sono al corrente del test. Viene tipicamente usato per verificare se il personaleinterno dedicato alla sicurezza è “vigile” e svolge con diligenza il proprio lavoro.GRAY BOX: sia l’attaccante che l’attacco sono pienamente a conoscenza sia del sistemainformatico da analizzare che delle modalità di attacco. Viene utilizzato quando si analizza ilproprio sistema interno.DOUBLE GRAY BOX: è un gray box che prevede la conoscenza delle credenziali di accesso.Viene usato per testare l’accesso ad informazioni più riservate rispetto al suo livello da parte diun utente.TANDEM: analisi del codice. Chi verifica e chi crea il codice collaboranoREVERSAL: test a uso interno. Il tester ha una grande quantità di informazione ilcommittente non sa i tempi e le metodologie con cui verrà attaccato.
OWASP
Focused on Web Application Testing
• Owasp Testing Guide v.4.0 (https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents)
• OWASP TOP TEN 2017 (https://www.owasp.org/index.php/Top_10-2017_Top_10)• Denial of service testing• Ajax testing• Web services testing• Data validation testing• Business logic testing• Session managmente testing
PTES
Available at www.pentest-standard.org
• Pre-engagement interactions• Intelligence gathering• Threat modeling• Vuln analysis• Exploitation and post exploitation• reporting
NIST 800-15
Covers planning, process, analysis, validation.It also includes appendix with a template for RoEThree types of Assessment methods can be used to accomplish this:• Testing• Examination• Interviewing
footprinting
DISCLOSED ORIENTED
• Organization website• IP addresses• Directories• Email• Domain name blocks• AP• …• OSINT
Fw/IDS
INTERNALEXTERNAL
• Internal DNS• Dumpster Diving• Shoulder Surfing• Evasedropping• Private company stuff
• Phone• Network• Websites• Whois• Google• DNS• Email header• Social networks• Job sites• Ip blocks• Net blocks
enumeration
From enum to exploit…
White / Black / Gray Box Testing
• Black Box testing : without credentials, without details on target, realistic. Black box PT
evaluates both the underlying technology as well as the people and
processes in place to identify and block real-world attacks.
• White Box testing : with credentials, maybe also the source code is available, deeper
but also less realistic.
• Gray box testing: lies between black and white. Testers will have knowledge of some areas